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DETAILED ACTION 

1 . Claims 1-2, 4-10, 12-22, 28-35, 40-42 and 45-53. Claims 3, 1 1, 23-27, 36-39 and 43-44. 

Continued Examination Under 37 CFR LI 14 

A request for continued examination under 37 CFR 1.1 14, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.1 14, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.1 14. Applicant's submission filed on January 18, 2007 has been entered. 

Claim Rejections - 35 USC § 103 

The text of those sections of Title 35, U.S. Code not included in this action can be found 
in a prior Office action. 

2. Claims 1, 2, 6-10, 14-19, 21-22 and 41 rejected under 35 U.S.C. 103(a) as being 
unpatentable over Porras et al., (Porras), U.S. Patent No. 6,704,874 in view of Shostack et al. 
(Shostack), U.S. Patent No. 6,298,445. 

As per claims 1 and 17: 

Porras substantially teaches a method comprising: 

detecting possible security problems at two or more client locations (3:16-41); 

transmitting notice of the possible security problems fi'om the two or more client 
locations across a network to a home location remotely located from the two or more locations 
(3:36-41); 
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determining at the home location an anomaly at one of the client locations based on an 
analysis of at least the possible security problems at the two or more client locations (5:63-6:33); 
and 

transmitting notice of the anomaly in real time to the client locations (6:34-37). 

Porras fails to teach performing the above steps in real time. However, Shostack 
discloses a real-time intrusion detection system that detects security problems, analyzes and 
alerts users (6:53-65). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

As per claim 9, this is a computer readable medium version of the claimed method 
discussed above in claim 1 wherein all claimed limitations have also been addressed and/or cited 
as set forth above. 

As per claim 2: 

Shostack further discloses a method further comprising transmitting notice of the 
anomaly in real time to other client locations that may communicate with the home location over 
the network (6:58-59, wherein information about the network status includes anomalies found). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 
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As per claim 10, this is a computer readable medium version of the claimed method 
discussed above in claim 2 wherein all claimed limitations have also been addressed and/or cited 
as set forth above. 

As per claim 6: 

Shostack further discloses a method in which the anomaly includes unauthorized access 
to the network (4:64-67; 5:1, wherein this is an example of a security vulnerability (4:47-48) and 
the security vulnerabilities function as anomalies). 

As per claim 14, this is a computer readable medium version of the claimed method 
discussed above in claim 6 wherein all claimed limitations have also been addressed and/or cited 
as set forth above. 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

As per claim 7: 

Shostack further discloses a method in which the anomaly includes unauthorized access 
of a resource accessible through the network (5:1-4, wherein the program library is a network 
resource). 

As per claim 15, this is a computer readable medium version of the claimed method 
discussed above in claim 7 wherein all claimed limitations have also been addressed and/or cited 
as set forth above. 



Application/Control Number: 1 0/0 1 0,743 Page 5 

Art Unit: 2132 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

As per claim 8: 

Shostack further discloses a method in which the anomaly includes unauthorized use of 
resources available through the network (6:10-13, wherein seeing the disk is using a network 
resource). 

As per claim 16, this is a computer readable medium version of the claimed method 
discussed above in claim 8 wherein all claimed limitations have also been addressed and/or cited 
as set forth above. 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

As per claim 18: 

Shostack further discloses a method further comprising transmitting notice of the 
existence of the anomaly in real time from the home location to the remote client locations (7:57- 
63, wherein the software enhancement being sent is the notice of the security vulnerability, 
which functions as the anomaly). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

Asper claim 19: 
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Shostack further discloses a method further comprising notice of the existence of 
transmitting the anomaly in real time from the home location to other remote client locations that 
may communicate with the home location over the network (6:58-59, wherein information about 
the network status includes anomalies found). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

As per claim 21: 

Shostack further discloses a method of claim further comprising transmitting information 
from the home location to the remote client locations to help the remote client location identify 
possible security problems (13:7-9, wherein the database updates to the security vulnerabilities 
helps to identify possible security problems), 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:3 1-47). 

As per claim 22: 

Shostack further discloses a method further comprising determining the existence of the 
anomaly based on at least information regarding previous anomalies (9:56-63, wherein the 
database contains a log of all of the previous security vulnerabilities which function as 
anomalies). 
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It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 



As per claim 41: 

Shcrstadc discloses a method comprising: 



detecting a possible security problem at a client location (3:16-41); 

transmitting notice of the possible security problems across a network to a home location 
remotely located from the client locations (3:36-41); 

determining, at the home location, an anomaly at one of the locations based on the 
possible security problems by searching for particular information in the anomaly, the particular 
information including at least one of a network address previously noted as a security problem 
and a particular query or command associated with a known intrusion pattern or technique, in 
which detecting possible security problems at the two or more client locations (5:63-6:33, 5:28- 
44); and 

transmitting notice of the anomaly in real time to the client locations (6:34-37). 

Porras fails to teach performing the above steps in real time. However, Shostack 
discloses a real-time intrusion detection system that detects security problems, analyzes and 
alerts users (6:53-65). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 
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3. Claims 28, 30 and 32-34 rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shostack et al. (Shostack), U.S. Patent No. 6,298,445 in view of Porras et al., (Porras), U.S. 
Patent No. 6,704,874. 

As per claim 30: 

Shostack substantially teaches a system comprising: 
a server (9:10); 

for each of the client terminals, 

a first client mechanism accessible by the client terminal to detect a possible security 
problem at the client terminal (6:43-46, wherein an intrusion is a possible security problem), 

a second client mechanism accessible by the client terminal to transmit notice of the 
possible security problem across a network in real time to a server remotely located from the 
client terminal (6:53-57, wherein sending an alarm functions as transmitting notice of the 
possible security problem), and 

a third client mechanism accessible by the client terminal to receive updates from the 
server in real time regarding security problems that the first client mechanism may use in 
detecting possible security problems (7:57-63; 9:10-21, wherein the cUent receives the software 
enhancement updates which function as updates from the server about security problems); 

determining an anomaly continuously in real time (7:15-16, wherein the security 
vulnerabilities function as anomalies and the local server is the home location); and 

a second server mechanism accessible by the server to transmit notice of the anomaly in 
real time over the network to the client terminals (7:57-63; 9:10-21, wherein the software 
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enhancement being sent is the notice of the security vulnerability, which functions as the 
anomaly). 

Shostack fails to teach determining an anomaly at one of the client terminals based on at 
least information received from the two or more client terminals regarding possible security 
problems. However, Porras discloses determining an anomaly based on alerts of possible 
security problems received from two or more clients (5:63-6:35). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to determine an anomaly based on possible security problems at two or more clients 
because this would allow detection of nominally different alerts may actually represent a single 
intrusion incident as taught by Porras (6:5-12). 

As per claim 28 this is an apparatus version of the claimed system discussed above in 
claim 30 wherein all claimed limitations have also been addressed and/or cited as set forth above. 

As per claim 32: 

Shostack fiirther discloses a system in which the first server mechanism is also 
configured to determine the anomaly based on at least information regarding previously 
determined anomalies (9:56-63, wherein the database contains a log of all of the previous 
security vulnerabilities which fimction as anomalies). 

As per claim 33: 

Shostack fiirther discloses a system in which the second server mechanism is also 
configured to transmit notice of the anomaly in real time to other client locations that may 
communicate with the server over the network (6:58-59, wherein information about the network 
status includes anomalies found). 
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As per claim 34: 

Shostack further discloses a system further comprising a firewall located between the 
client terminals and the server and configured to act as an intermediary for information flowing 
between the client terminals and the server (4:19-24, since the server is remotely connected to 
the network 20 (9:13-14; fig 2, item 20), the placement of the firewall makes it an intermediary 
between the external server and the client, therefore, the firewall's functionality as a filter shows 
that information flows between the server and client). 

4. Claims 40, 45, 48, 50 and 51 rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shostack et al. (Shostack), U.S. Patent No. 6,298,445 in view of Porras et al., (Porras), U.S. 
Patent No. 6,704,874 as applied to claim 28 and further in view of Shipley (U.S. 6,1 19,236). 

As per claim 40: 

a server (9:10); 

for each of the client terminals, 

a first client mechanism accessible by the client terminal to detect a possible security 
problem at the client terminal (6:43-46, wherein an intrusion is a possible security problem), 

a second client mechanism accessible by the client terminal to transmit notice of the 
possible security problem across a network in real time to a server remotely located firom the 
client terminal (6:53-57, wherein sending an alarm functions as transmitting notice of the 
possible security problem), and 

a third client mechanism accessible by the client terminal to receive updates from the 
server in real time regarding security problems that the first client mechanism may use in 
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detecting possible security problems (7:57-63; 9:10-21, wherein the client receives the software 
enhancement updates which function as updates from the server about security problems); 

determining an anomaly continuously in real time (7:15-16, wherein the security 
vulnerabilities function as anomalies and the local server is the home location); and 

a second server mechanism accessible by the server to transmit notice of the anomaly in 
real time over the network to the client terminals (7:57-63; 9:10-21, wherein the software 
enhancement being sent is the notice of the security vulnerability, which functions as the 
anomaly). 

Shostack fails to teach determining an anomaly at one of the client terminals based on at 
least information received from the two or more client terminals regarding possible security 
problems. However, Porras discloses determining an anomaly based on alerts of possible 
security problems received from two or more clients (5:63-6:35). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to determine an anomaly based on possible security problems at two or more clients 
because this would allow detection of nominally different alerts may actually represent a single 
intrusion incident as taught by Porras (6:5-12). 

Shostack and Porras fail to teach the updates being applied to a firewall. However, 
Shipley discloses dynamically programming firewalls in real time to account for an anomaly 
(7:58-8:41). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to combine the inventions of Shostack and Porras with the invention of Shipley 
because each uses firewalls in their own inventions individually and utilizing Shipley's real time 
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dynamic programming of the firewalls would allow the firewalls to better protect their respective 
networks since it would constantly be modified to account for the newest threats (Shipley, 2:56- 
65). 

As per claims 45 and 48: 

Shipley fiirther discloses a method fiirther comprising storing and performing complex 
analysis of anomaly trends by using a complexity theory mechanism (5:58-6:3). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to combine the inventions of Shostack and Porras with the invention of Shipley 
because each uses firewalls in their own inventions individually and utilizing Shipley's real time 
dynamic programming of the firewalls would allow the firewalls to better protect their respective 
networks since it would constantly be modified to account for the newest threats (Shipley, 2:56- 
65). 

As per claims 50 and 5 1 : 

Shipley further discloses a method fiirther comprising updating, in real time, a firewall 
protecting the client location to account for the anomaly (7:58-8:41). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to combine the inventions of Shostack and Porras because in order to make a system 
less vulnerable to attack as stated in Shostack (2:18-28), not only do vulnerabilities updates need 
to be disseminated, but tracking the hacker who breached the security is also essential in the 
security of a system against intrusions in order t ensure that the same person cannot do so again. 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to combine the inventions of Shostack and Porras with the invention of Shipley 
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because each uses firewalls in their own inventions individually and utilizing Shipley's real time 
dynamic programming of the firewalls would allow the firewalls to better protect their respective 
networks since it would constantly be modified to account for the newest threats (Shipley, 2:56- 
65). 

5. Claims 4, 12 and 31 rejected under 35 U.S.C. 103(a) as being unpatentable over Porras in 
view of Shostack as applied to claims 1, 9, 23, 26 and 30 above and further in view of Baker, 
U.S. Patent No. 6,775,657. 

As per claim 4: « 

Porras and Shostack fail to teach a method further comprising inspecting a packet that 
arrives at the client location to detect the possible security problem. However, Baker discloses a 
method wherein a network based intrusion detection system analyzes network packet data to 
make security decisions (1 :41-42; 46-53). It would have been obvious to one of ordinary skill in 
the art at the time of applicant's invention to analyze a packet that arrives at the client in order to 
make security decisions because this would make the intrusion detection system scale well for 
network protection since it is the amount of traffic that determines performance, therefore it 
would also be easier to control and improve performance of the network as a whole (1 :53-60). 

As per claim 12, this is a computer readable medium version of the claimed method 
discussed above in claim 4 wherein all claimed limitations have also been addressed and/or cited 
as set forth above. 

As per claim 31: 

Porras and Shostack fail to teach a system in which the first mechanism is also 
configured to monitor packets that arrive at the client terminal for the possible security problem. 
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However, Baker discloses a method wherein a network based intrusion detection system 
analyzes network packet data to make security decisions (1 :41-42; 46-53). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to analyze a packet that arrives at the client in order to make security decisions because 
this would make the intrusion detection system scale well for network protection since it is the 
amount of traffic that determines performance, therefore it would also be easier to control and 
improve performance of the network as a whole (1 :53-60). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:3 1-47). 
6. Claims 5, 13 and 35 rejected under 35 U.S.C. 103(a) as being unpatentable over Porras in 
view of Shostack as applied to claims 1, 9 and 30 above and further in view of Bowman- Amuah, 
U.S. Patent No. 6,697,824. 

As per claim 5: 

Porras and Shostack fail to teach a method in which the network includes a virtual private 
network. However, Bowman- Amuah discloses a. method wherein a network is protected from 
unauthorized access through the encryption services provided by Virtual Private Networking 
(75:64-65, fig 36). It would have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to include a virtual private network with the network because of the added 
security benefits a VPN affords a system against unauthorized users. 
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As per claim 13, this is a computer readable mediimi version of the claimed method 
discussed above in claim 5 wherein all claimed limitations have also been addressed and/or cited 
as set forth above. 

As per claim 35: 

Porras and Shostack fail to teach a system in which at least one of the firewalls includes a 
corporate server. However, Bowman- Amuah discloses a method wherein a corporate firewall 
includes a corporate server at a corporate headquarters (75:65-66; 76:19-23). It would have been 
obvious to one of ordinary skill in the art at the time of applicant's invention to include a 
corporate server with the firewall because if the intrusion detection system were to be used in a 
business setting the firewalls would provide increased access control for the internal network 
(76:21-23). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 
7. Claims 42 and 52 rejected under 35 U.S.C. 103(a) as being unpatentable over Shostack 
(U.S. 6,298,445) in view of Lyle (U.S. 6,886,102) and further in view of Moran, U.S. Patent No. 
6,826,697. 

As per claim 42: 

Shostack discloses a method comprising: 

detecting a possible security problem at a client location (6:43-46, wherein an intrusion is 
a possible security problem); 
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transmitting notice of the possible security problem across a network in real time to a 
home location remotely located from the location (6:53-57, wherein sending an alarm functions 
as transmitting notice of the possible security problem and the system administrator resides at a 
home location which is the local server); 

transmitting notice of the anomaly in real time to the client location (7:57-63; 9:10-21, 
wherein the software enhancement being sent is the notice of the security vulnerability, which 
functions as the anomaly). 

Shostack fails to teach determining at the home location an anomaly by at least 
comparing the possible security problem with information previously logged at the home 
location, including searching for an unexpected login. However, Lyle discloses a method 
wherein the event, which consists of an attack, is compared to other events that have occurred 
(7:50-8:11). 

Shostack and Lyle fail to teach a method in which determining the anomaly comprises 
searching for an xmexpected login. However, Moran discloses a method wherein failed login 
attempts are logged (19:41-20:18). A failed login attempt is an unexpected login since it is not 
a correct login. The login is not expecting for the login information to be wrong, therefore a 
failed login qualifies as an unexpected login by an unexpected user. 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to combine the inventions of Shostack and Lyle with Moran because in order to make a 
system less vulnerable to attack as stated in Shostack (2:18-28), the ability to detect further types 
of attacks such as forward and backward time steps in a log file or an overflow buffer attack as 
stated in Moran (4:1-37) would increase the security against attacks as a whole. 
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8. Claims 29, 30 and 32-34 rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shostack et al. (Shostack), U.S. Patent No. 6,298,445 in view of Porras et al., (Porras), U.S. 
Patent No. 6,704,874 as applied to claims 30, 28 and 40 above and further in view of Lyle, U.S. 
Patent No. 6,886,102. 
As per claim 29: 

Lyle further discloses an apparatus in which the first mechanism also determines the 
anomaly based on at least information regarding previously determined anomalies (7:66-8:1 1). 
As per claim 46: 

Lyle further discloses a method wherein a wide view mechanism such as an analysis 
framework module, collects and maintains information regarding events reported to the server 
(7:50-65) which includes a statistics mechanism to compute and store records of events (8:12- 
20). 

As per claims 47 and 49: 

Lyle further discloses a method further comprising a statistics mechanism to compute and 
store records of anomalies (8:12-39). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to combine the inventions of Shostack Porras and Lyle because in order to make a 
system less vulnerable to attack as stated in Shostack (2:18-28), not only do vulnerabilities 
updates need to be disseminated, but tracking the hacker who breached the security is also 
essential in the security of a system against intrusions in order t ensure that the same person 
cannot do so again. 
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Conclusion 



Any inquiry concerning this communication or earlier conmiunications from the 
examiner should be directed to Kristin D. Sandoval whose telephone number is 571-272-7958. 
The examiner can normally be reached on Monday - Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are xmsuccessful, the examiner's 
supervisor, Giiberto Barron can be reached on 571-272-3799. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an appUcation may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-91 99 (IN USA OR CANADA) or 57 1 -272-1 000. 




Kristin D Sandoval 

Examiner 

Art Unit 2132 
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